A recent security update has been issued for the Nextcloud desktop package in Debian GNU/Linux 11 (Bullseye) LTS, addressing several vulnerabilities that could compromise user data and application security. The update, designated as DLA-4303-1, was announced on September 18, 2025, and pertains to the nextcloud-desktop version 3.1.1-2+deb11u2.
The vulnerabilities include:
- CVE-2022-39331 and CVE-2022-39332: Allowing attackers to inject arbitrary HTML into the desktop client via notifications and user status, which could lead to phishing or other malicious activities.
- CVE-2022-39333: A general injection vulnerability in the desktop client application.
- CVE-2022-39334: A flaw in the command-line utility nextcloudcmd which could trust invalid TLS certificates, potentially enabling man-in-the-middle attacks that expose sensitive data.
- CVE-2023-28997: A serious issue where a malicious server administrator could access and modify the contents of end-to-end encrypted files.
To mitigate these security risks, users are advised to upgrade their nextcloud-desktop packages to the latest version. For ongoing security updates and best practices on maintaining system integrity, users can consult the Debian LTS security advisories and the security tracker for nextcloud-desktop.
In addition to these vulnerabilities, users should remain vigilant about overall system security and consider implementing additional security measures, such as regular audits of software packages, utilizing firewall configurations, and ensuring that all network communications use secure protocols. Keeping abreast of security updates and advisories is crucial for maintaining a secure computing environment, particularly for applications that handle sensitive data
The vulnerabilities include:
- CVE-2022-39331 and CVE-2022-39332: Allowing attackers to inject arbitrary HTML into the desktop client via notifications and user status, which could lead to phishing or other malicious activities.
- CVE-2022-39333: A general injection vulnerability in the desktop client application.
- CVE-2022-39334: A flaw in the command-line utility nextcloudcmd which could trust invalid TLS certificates, potentially enabling man-in-the-middle attacks that expose sensitive data.
- CVE-2023-28997: A serious issue where a malicious server administrator could access and modify the contents of end-to-end encrypted files.
To mitigate these security risks, users are advised to upgrade their nextcloud-desktop packages to the latest version. For ongoing security updates and best practices on maintaining system integrity, users can consult the Debian LTS security advisories and the security tracker for nextcloud-desktop.
In addition to these vulnerabilities, users should remain vigilant about overall system security and consider implementing additional security measures, such as regular audits of software packages, utilizing firewall configurations, and ensuring that all network communications use secure protocols. Keeping abreast of security updates and advisories is crucial for maintaining a secure computing environment, particularly for applications that handle sensitive data
Nextcloud-desktop update for Debian 11 LTS
A security update has been released for the next cloud desktop package in the Debian GNU/Linux 11 (Bullseye) LTS to fix multiple vulnerabilities. The vulnerabilities include the injection of arbitrary HTML into the desktop client application via notifications, user status, and information, as well as potential man-in-the-middle attacks and the exposure of sensitive data. Additionally, a malicious server administrator can recover and modify the contents of end-to-end encrypted files.
[SECURITY] [DLA 4303-1] nextcloud-desktop security updateNextcloud-desktop update for Debian 11 LTS @ Linux Compatible
